CSA Z246.1:2017 pdf download.Security management for petroleum and natural gas industry systems
1.1 CSA Z246.1 specifies criteria for establishing a security management program for petroleum and natural gas industry systems to ensure security thr eats and associated risks are identified and managed.This Standard provides mitigation and response processes and procedures to prevent and minimize the impact of security incidents that could adversely affect people, the environment, assets, and economic stability.
4.1 Governance
Security governance involves setting organization- wide policies and processes to define how the SMP should be appropriately integrated into the organization's over all management system. Security governance includes management commitment and accountability. Organizational policies provide clear direction, commitment, responsibility, and oversight and define the security envir onment.
4.2 Accountability
SMP governance shall include
a) senior management accountability for the SMP;
b) roles and responsibilities for the development, implementation, control, review, continual improverment, and approval of the SMP across the or ganization;
c) responsibility for the SMP, including sufficient resources to implement and maintain it;
d) security policy that pr ovides clear direction, accountability, and oversight for the SMP; and
e) SMP awareness, roles and responsibilities, accountability, training, and continual improvement for employees and on-site personnel.
4.3 Implementation
The operator shall implerment a docurmented SMP to ensure security incidents and threats to oper ations are identified and associated risks are managed with appropriate measures to minimize the impact of security incidents adversely affecting people, the environment, assets, and economic stability.
5.1 General
The security risk management process (see Figure 4) provides the flexibility needed for proactive decision making to address the security risks to an operator. The operator identifies and classifies security risks in order to develop and implement strategies and security measures to minimize or mitigate risk to assets. Security risk management activities should be commensurate with the type, size,location, and criticality of the assets being protected. Risk is continually assessed across the organization by determining the likelihood and associated consequences of a security incident.
5.4.1 The operator shall develop and implement a documented process to identify current and potential threats that could result in the loss of or damage to an asset. The threat assessment shall consider available and relevant information from both internal and external sources.
5.4.2 The threat assessment should consider
a) presence and identification of a potential adversary;
b) capability of an adversary to carry out a threat based on an assessment and evaluation of the nature of the threat and degree of sophistication needed to carry out the threat (e.g. specific training, financial support, and industry expertise);
c) intentions as to whether the threat has been stated or implied and belief that the threat is real;
d) history of a similar threat occurring to another similar operation within the same industry or region;
e) asset attractiveness;CSA Z246.1 pdf download.